Pull request #3781: detection: fix queue_limit pegcounter evaluation

author Oleksii Shumeiko -X (oshumeik - SOFTSERVE INC at Cisco) <oshumeik@cisco.com>

Tue, 21 Mar 2023 16:26:01 +0000 (16:26 +0000)

committer Oleksii Shumeiko -X (oshumeik - SOFTSERVE INC at Cisco) <oshumeik@cisco.com>

Tue, 21 Mar 2023 16:26:01 +0000 (16:26 +0000)
author Oleksii Shumeiko -X (oshumeik - SOFTSERVE INC at Cisco) <oshumeik@cisco.com>
Tue, 21 Mar 2023 16:26:01 +0000 (16:26 +0000)
committer Oleksii Shumeiko -X (oshumeik - SOFTSERVE INC at Cisco) <oshumeik@cisco.com>
Tue, 21 Mar 2023 16:26:01 +0000 (16:26 +0000)
diff --git a/src/detection/fp_detect.cc b/src/detection/fp_detect.cc

index bee9ef49ca3fd7ae4c9c366f5a183bb0649bc9ec..4886bac493e5f9366246377de9917e1067934b3e 100644 (file)
--- a/src/detection/fp_detect.cc
+++ b/src/detection/fp_detect.cc
@@ -616,6 +616,7 @@ static inline int fpFinalSelectEvent(OtnxMatchData* omd, Packet* p)
          return 0;
  
      unsigned tcnt = 0;
+    int res = 0;
      EventQueueConfig* eq = p->context->conf->event_queue_config;
      int (*compar)(const void *, const void *);
      compar = ( eq->order == SNORT_EVENTQ_PRIORITY )
@@ -646,11 +647,18 @@ static inline int fpFinalSelectEvent(OtnxMatchData* omd, Packet* p)
                  sizeof(void*), compar);
  
              /* Process each event in the action (alert,drop,log,...) groups */
-            for (unsigned j = 0; j < omd->matchInfo[i].iMatchCount; j++)
+            for ( unsigned j = 0; j < omd->matchInfo[i].iMatchCount; j++ )
              {
                  const OptTreeNode* otn = omd->matchInfo[i].MatchArray[j];
                  assert(otn);
  
+                if ( tcnt >= eq->max_events )
+                {
+                    pc.queue_limit += omd->matchInfo[i].iMatchCount - j;
+                    res = 1;
+                    break;
+                }
+
                  RuleTreeNode* rtn = getRtnFromOtn(otn);
  
                  if ( !rtn )
@@ -693,12 +701,6 @@ static inline int fpFinalSelectEvent(OtnxMatchData* omd, Packet* p)
                          fpAddSessionAlert(p, otn);
                  }
  
-                if ( tcnt >= eq->max_events )
-                {
-                    pc.queue_limit++;
-                    return 1;
-                }
-
                  /* only log/count one pass */
                  if ( p->packet_flags & PKT_PASS_RULE )
                      return 1;
@@ -706,7 +708,7 @@ static inline int fpFinalSelectEvent(OtnxMatchData* omd, Packet* p)
          }
      }
  
-    return 0;
+    return res;
  }
  
  class MpseStash
author	Oleksii Shumeiko -X (oshumeik - SOFTSERVE INC at Cisco) <oshumeik@cisco.com>
	Tue, 21 Mar 2023 16:26:01 +0000 (16:26 +0000)
committer	Oleksii Shumeiko -X (oshumeik - SOFTSERVE INC at Cisco) <oshumeik@cisco.com>
	Tue, 21 Mar 2023 16:26:01 +0000 (16:26 +0000)